feat:update dockerfile and some script,fix code stuck in create dcap …

…collateral step

Cargo.toml

@@ -294,7 +294,7 @@ asn1_der = { version = "0.7", default-features = false}
 base64 = { version = "0.13", default-features = false, features = ["alloc"] }
 bigdecimal = "0.4"
 byteorder = { version = "1.5.0", default-features = false }
-chrono = { version = "0.4", default-features = false }
+chrono = { version = "0.4.31", default-features = false }
 clap = { version = "4.5", features = ["derive"] }
 codec = { package = "parity-scale-codec", version = "3.6.1", default-features = false }
 scale-codec = { package = "parity-scale-codec", version = "3.6.1", default-features = false }
@@ -375,9 +375,9 @@ scale-info = { version = "2.11", default-features = false }
 scale-value = "0.16"
 schnorrkel = { version = "0.11", default-features = false }
 scopeguard = { version = "1.1", default-features = false }
-serde = { version = "1.0", default-features = false }
+serde = { version = "1", default-features = false }
 serde_cbor = "0.11.2"
-serde_json = { version = "1.0", default-features = false }
+serde_json = { version = "1.0.108", default-features = false }
 serde-json-core = { version = "0.5", default-features = false }
 sha2 = { version = "0.10", default-features = false }
 soketto = "0.8"

crates/cestory/src/ceseal_service.rs

@@ -903,15 +903,25 @@ impl<Platform: pal::Platform + Serialize + DeserializeOwned> Ceseal<Platform> {
                         AttestationReport::SgxIas { ra_report, .. } => {
                             match SgxFields::from_ias_report(&ra_report[..]) {
                                 Ok((sgx_fields, _)) => {
-                                    info!("RA report measurement       :{}", hex::encode(sgx_fields.measurement()));
-                                    info!("RA report measurement hash  :{:?}", sgx_fields.measurement_hash());
+                                    info!("EPID RA report measurement       :{}", hex::encode(sgx_fields.measurement()));
+                                    info!("EPID RA report measurement hash  :{:?}", sgx_fields.measurement_hash());
                                 },
                                 Err(e) => {
                                     error!("deserial ias report to SgxFields failed: {:?}", e);
                                 },
                             }
                         },
-                        AttestationReport::SgxDcap { quote:_, collateral:_ } => todo!(),
+                        AttestationReport::SgxDcap { quote, collateral:_ } => {
+                            match SgxFields::from_dcap_quote_report(&quote) {
+                                Ok((sgx_fields, _)) => {
+                                    info!("DCAP measurement       :{}", hex::encode(sgx_fields.measurement()));
+                                    info!("DCAP measurement hash  :{:?}", sgx_fields.measurement_hash());
+                                },
+                                Err(e) => {
+                                    error!("deserial dcap report to SgxFields failed: {:?}", e);
+                                },
+                            }
+                        },
                     }
                 }
             }

crates/sgx-attestation/Cargo.toml

@@ -5,7 +5,7 @@ edition = "2021"
 
 [dependencies]
 serde = { workspace = true, features = ["derive"] }
-serde_json = { workspace = true, features = ["alloc"], optional = true }
+serde_json = { workspace = true, features = ["preserve_order"], optional = true }
 hex = { workspace = true, features = ["alloc"] }
 base64 = { workspace = true, features = ["alloc"] }
 parity-scale-codec = { workspace = true, features = ["derive"] }

crates/sgx-attestation/src/dcap/report.rs

@@ -113,7 +113,12 @@ pub fn create_attestation_report(
     let collateral = if pccs_url.is_empty() {
         None
     } else {
-        let collateral = tokio::runtime::Runtime::new()?.block_on(async {get_collateral(pccs_url, &quote, timeout).await})?;
+        let collateral = tokio::task::block_in_place(||{
+            let rt = tokio::runtime::Runtime::new().unwrap();
+            rt.block_on(async {
+                get_collateral(pccs_url, &quote, timeout).await
+            })
+        })?;
         Some(Collateral::SgxV30(collateral))
     };
     Ok(AttestationReport::SgxDcap { quote, collateral })

scripts/docker/ceseal/gramine/handover.Dockerfile

@@ -59,7 +59,7 @@ ARG REAL_CESEAL_DATA_DIR=${CESEAL_HOME}/data/${CESEAL_VERSION}
 COPY --from=builder /root/prebuilt/ ${CESEAL_DIR}
 ADD --chmod=0755 ./scripts/docker/ceseal/gramine/start.sh ${CESEAL_DIR}/start.sh
 ADD --chmod=0755 ./scripts/docker/ceseal/gramine/start-with-handover.sh ${CESEAL_HOME}/start.sh
-
+ADD ./standalone/teeworker/ceseal/gramine-build/conf /opt/conf
 
 RUN <<EOF
   set -e

scripts/docker/ceseal/gramine/start-with-handover.sh

@@ -5,6 +5,16 @@ set -e
 if [ "$SGX" -eq 1 ] && [ "$SKIP_AESMD" -eq 0 ]; then
   echo "Starting AESMD"
 
+  if test -f "/opt/conf/aesmd.conf"; then
+    echo "Found custom aesmd.conf, override the default."
+    cp /opt/conf/aesmd.conf /etc/
+  fi
+
+  if test -f "/opt/conf/sgx_default_qcnl.conf"; then
+    echo "Found custom sgx_default_qcnl.conf, override the default."
+    cp /opt/conf/sgx_default_qcnl.conf /etc/
+  fi
+
   /bin/mkdir -p /var/run/aesmd/
   /bin/chown -R aesmd:aesmd /var/run/aesmd/
   /bin/chmod 0755 /var/run/aesmd/

scripts/docker/ceseal/gramine/start.sh

@@ -5,6 +5,16 @@ set -e
 if [[ "$SGX" -eq 1 && "$SKIP_AESMD" -eq 0 ]]; then
   echo "Starting AESMD"
 
+  if test -f "/opt/conf/aesmd.conf"; then
+    echo "Found custom aesmd.conf, override the default."
+    cp /opt/conf/aesmd.conf /etc/
+  fi
+
+  if test -f "/opt/conf/sgx_default_qcnl.conf"; then
+    echo "Found custom sgx_default_qcnl.conf, override the default."
+    cp /opt/conf/sgx_default_qcnl.conf /etc/
+  fi
+
   /bin/mkdir -p /var/run/aesmd/
   /bin/chown -R aesmd:aesmd /var/run/aesmd/
   /bin/chmod 0755 /var/run/aesmd/

standalone/teeworker/ceseal/gramine-build/Makefile

@@ -52,6 +52,7 @@ signed-sgx-artifacts: ${BIN_NAME}.manifest ${BIN_NAME}.manifest.sgx ${BIN_NAME}.
 .PHONY: ${BIN_FILE}
 ${BIN_FILE}:
 	@echo "SGX_ENV: ${SGX_ENV}"
+	@echo "RA_METHOD: ${RA_METHOD}"
 	@echo "IAS_SPID: ${IAS_SPID}"
 	@echo "IAS_API_KEY: ${IAS_API_KEY}"
 	@echo "BUILD: ${BUILD}"
@@ -71,6 +72,7 @@ ${BIN_NAME}.manifest: ${BIN_NAME}.manifest.template
 		-Dseal_dir=${CESEAL_SEAL_DIR} \
 		-Dstorage_dir=${CESEAL_STORAGE_DIR} \
 		-Dlibdir=${RUNTIME_DIR}/lib/ \
+		-Darch_libdir=${ARCH_LIBDIR}/ \
 		-Dlibos=${LIBOS} \
 		-Dra_method=${RA_METHOD} \
 		$< $@

standalone/teeworker/ceseal/gramine-build/ceseal.manifest.template

@@ -72,11 +72,13 @@ ra_client_spid = "{{ ra_client_spid }}"
 trusted_files = [
   "file:{{ libos }}",
   "file:ceseal",
+  "file:{{ arch_libdir }}",
   "file:{{ libdir }}",
 ]
 
 allowed_files = [
   "file:/etc/hosts",
   "file:/etc/resolv.conf",
+  "file:/etc/sgx_default_qcnl.conf",
   "file:{{ storage_dir }}/",
 ]

standalone/teeworker/ceseal/gramine-build/conf/aesmd.conf

@@ -0,0 +1,10 @@
+#proxy type    = direct #direct type means no proxy used
+#proxy type    = default #system default proxy
+#proxy type    = manual #aesm proxy should be specified for manual proxy type
+#aesm proxy    = http://proxy_url:proxy_port
+#whitelist url = http://sample_while_list_url/
+#default quoting type = ecdsa_256
+#default quoting type = epid_linkable
+#default quoting type = epid_unlinkable
+#qpl log level = error
+#qpl log level = info

standalone/teeworker/ceseal/gramine-build/conf/sgx_default_qcnl.conf

@@ -0,0 +1,73 @@
+{
+  // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
+
+  //PCCS server address
+  "pccs_url": "https://localhost:8081/sgx/certification/v4/"
+
+  // To accept insecure HTTPS certificate, set this option to false
+  ,"use_secure_cert": false
+
+  // You can use the Intel PCS or another PCCS to get quote verification collateral.  Retrieval of PCK 
+  // Certificates will always use the PCCS described in pccs_url.  When collateral_service is not defined, both 
+  // PCK Certs and verification collateral will be retrieved using pccs_url  
+  //,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"
+
+  // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used.
+  // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while
+  // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version 
+  // setting is ignored if collateral_service is set to the Intel PCS. In this case, the pccs_api_version is forced to be 3.1 
+  // internally.  Currently, only values of 3.0 and 3.1 are valid.  Note, if you set this to 3.1, the PCCS use to retrieve 
+  // verification collateral must support the new 3.1 APIs.
+  //,"pccs_api_version": "3.1"
+
+  // Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.
+  // It will first wait one second and then for all forthcoming retries it will double the waiting time.
+  // By using retry_delay you disable this exponential backoff algorithm
+  ,"retry_times": 6
+
+  // Sleep this amount of seconds before each retry when a transfer has failed with a transient error
+  ,"retry_delay": 10
+
+  // If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first,
+  // and failover to pccs_url as in legacy mode.
+  //,"local_pck_url": "https://localhost:8081/sgx/certification/v4/"
+
+  // If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache. 
+  // The PCK certificates will be cached in memory and then to the disk drive. 
+  // The local cache files will be sequentially searched in the following directories until located in one of them:
+  // Linux : $AZDCAP_CACHE, $XDG_CACHE_HOME, $HOME, $TMPDIR, /tmp/
+  // Windows : $AZDCAP_CACHE, $LOCALAPPDATA\..\..\LocalLow
+  // Please be aware that the environment variable pertains to the account executing the process that loads QPL,
+  // not the account used to log in. For instance, if QPL is loaded by QGS, then those environment variables relate to
+  // the "qgsd" account, which is the account that runs the QGS daemon.
+  // You can remove the local cache files either manually or by using the QPL API, sgx_qpl_clear_cache. If you opt to
+  // delete them manually, navigate to the aforementioned caching directories, find the folder named .dcap-qcnl, and delete it.
+  // Restart the service after all cache folders were deleted. The same method applies to "verify_collateral_cache_expire_hours"
+  ,"pck_cache_expire_hours": 168
+
+  // To set cache expire time for quote verification collateral in hours
+  // See the above comment for pck_cache_expire_hours for more information on the local cache.
+  ,"verify_collateral_cache_expire_hours": 168
+
+  // When the "local_cache_only" parameter is set to true, the QPL/QCNL will exclusively use PCK certificates 
+  // from local cache files and will not request any PCK certificates from service providers, whether local or remote. 
+  // To ensure that the PCK cache is available for use, an administrator must pre-populate the cache folders with 
+  // the appropriate cache files. To generate these cache files for specific platforms, the administrator can use 
+  // the PCCS admin tool. Once the cache files are generated, the administrator must distribute them to each platform 
+  // that requires provisioning.
+  ,"local_cache_only": false
+
+  // You can add custom request headers and parameters to the get certificate API.
+  // But the default PCCS implementation just ignores them. 
+  //,"custom_request_options" : {
+  //  "get_cert" : {
+  //    "headers": {
+  //      "head1": "value1"
+  //    },
+  //    "params": {
+  //      "param1": "value1",
+  //      "param2": "value2"
+  //    }
+  //  }
+  //}
+}

standalone/teeworker/ceseal/src/pal_gramine.rs

@@ -61,6 +61,7 @@ impl RA for GraminePlatform {
             Some(AttestationProvider::Dcap) => {
                 const CESS_DCAP_PCCS_URL: &str = env!("DCAP_PCCS_URL");
                 let attestation_report = Some(sgx_attestation::dcap::report::create_attestation_report(data, CESS_DCAP_PCCS_URL, timeout)?);
+                info!("Generate dcap collateral success!");
                 Ok(Encode::encode(&attestation_report))
             }
             None => Ok(Encode::encode(&None::<AttestationProvider>)),

standalone/teeworker/cifrost/src/lib.rs

@@ -186,6 +186,7 @@ async fn try_register_worker(
         .await?;
         Ok(true)
     } else {
+        info!("No attestation evidence from ceseal runtime_info!");
         Ok(false)
     }
 }

standalone/teeworker/cifrost/src/types.rs

@@ -197,13 +197,15 @@ pub struct Args {
 pub enum RaOption {
     None,
     Ias,
+    Dcap,
 }
 
 impl From<RaOption> for Option<AttestationProvider> {
     fn from(other: RaOption) -> Self {
         match other {
             RaOption::None => None,
             RaOption::Ias => Some(AttestationProvider::Ias),
+            RaOption::Dcap => Some(AttestationProvider::Dcap),
         }
     }
 }